7d509913a3d07881ee762b496138ef59681d6ff9a2540b73385d8a686b120a5a

Analysis

max time kernel
130s
max time network
153s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20-08-2024 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

loudplaylatestnull318041611.exe
Size

90.8MB
MD5

f97b86e33d2bd2fd39c52e6e001ef1f6
SHA1

c78c9755fb3a9044958a1728adf291bb35efb0a4
SHA256

7d509913a3d07881ee762b496138ef59681d6ff9a2540b73385d8a686b120a5a
SHA512

9a46d9415107e35241ac14ba8e7639e22afb8b4aeecefe6a8ec382e572fd3bcfb2c215e747695e47d3ab3d651eba6e0e6f7856c39814f7d68ffaaad9f972b118
SSDEEP

1572864:nbW7RwoSmywEZpqAeWFixGiDyQM/5P8fIiateTbxLtjrLFWUXpMicwtYHXCE4h:n4woSxRqAni0iDyRp8fXam/rLAUXpM3Q

Score

8^/10

discovery execution persistence privilege_escalation

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2460	powershell.exe
2976	powershell.exe
1744	powershell.exe
1364	powershell.exe
1304	powershell.exe
3032	powershell.exe
2756	powershell.exe
3204	powershell.exe
2444	powershell.exe
2840	powershell.exe
2032	powershell.exe
2188	powershell.exe
3064	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Loudplay.exeLoudplay.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\International\Geo\Nation	Loudplay.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Control Panel\International\Geo\Nation	Loudplay.exe

Executes dropped EXE 5 IoCs

Processes:

Loudplay.exeLoudplay.exeLoudplay.exeLoudplay.exeLoudplay.exe

pid process

2396 Loudplay.exe
2860 Loudplay.exe
2600 Loudplay.exe
1804 Loudplay.exe
956 Loudplay.exe

pid	process
2396	Loudplay.exe
2860	Loudplay.exe
2600	Loudplay.exe
1804	Loudplay.exe
956	Loudplay.exe

Loads dropped DLL 24 IoCs

Processes:

loudplaylatestnull318041611.exeLoudplay.exeLoudplay.exeLoudplay.exeLoudplay.exeLoudplay.exe

pid	process
2388	loudplaylatestnull318041611.exe
2388	loudplaylatestnull318041611.exe
2388	loudplaylatestnull318041611.exe
2388	loudplaylatestnull318041611.exe
2388	loudplaylatestnull318041611.exe
2388	loudplaylatestnull318041611.exe
2388	loudplaylatestnull318041611.exe
2388	loudplaylatestnull318041611.exe
2388	loudplaylatestnull318041611.exe
2388	loudplaylatestnull318041611.exe
2388	loudplaylatestnull318041611.exe
2388	loudplaylatestnull318041611.exe
2388	loudplaylatestnull318041611.exe
2388	loudplaylatestnull318041611.exe
2388	loudplaylatestnull318041611.exe
2396	Loudplay.exe
2860	Loudplay.exe
2600	Loudplay.exe
2860	Loudplay.exe
2860	Loudplay.exe
2860	Loudplay.exe
1804	Loudplay.exe
1804	Loudplay.exe
956	Loudplay.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Loudplay = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\loudplay\\Loudplay.exe\" --hidden"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Loudplay = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\loudplay\\Loudplay.exe\" --hidden"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Loudplay = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\loudplay\\Loudplay.exe\" --hidden"	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

reg.execmd.execmd.exeWMIC.exefindstr.exereg.execmd.exeWMIC.exepowershell.exeWMIC.exeWMIC.exeLoudplay.exewhere.execmd.execmd.execmd.exeipconfig.exepowershell.exepowershell.exereg.execmd.exeWMIC.execmd.execmd.exechcp.comcmd.exeWMIC.exeWMIC.execmd.execmd.execmd.exechcp.comcmd.execmd.exeipconfig.exechcp.comcmd.execmd.exechcp.comcmd.exeWMIC.exechcp.comfindstr.exenetsh.execmd.exepowershell.exepowershell.exepowershell.exereg.execmd.exeWMIC.execmd.execmd.execmd.exepowershell.exeLoudplay.execmd.execmd.execmd.execmd.exechcp.comchcp.comWMIC.exereg.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loudplay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	where.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loudplay.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exereg.exeLoudplay.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Loudplay.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Loudplay.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	Loudplay.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Loudplay.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Loudplay.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	Loudplay.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	Loudplay.exe

Gathers network information 2 TTPs 3 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

NETSTAT.EXEipconfig.exeipconfig.exe

pid process

1988 NETSTAT.EXE
1876 ipconfig.exe
1256 ipconfig.exe

pid	process
1988	NETSTAT.EXE
1876	ipconfig.exe
1256	ipconfig.exe

Modifies registry class 18 IoCs

Processes:

loudplaylatestnull318041611.exeLoudplay.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\loudplay\URL Protocol	loudplaylatestnull318041611.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\loudplay\shell	loudplaylatestnull318041611.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\loudplay\URL Protocol	Loudplay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\loudplay\ = "URL:loudplay"	loudplaylatestnull318041611.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\loudplay\DefaultIcon	loudplaylatestnull318041611.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\loudplay\shell\	loudplaylatestnull318041611.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\loudplay\shell\Open	loudplaylatestnull318041611.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\loudplay\shell\Open\	loudplaylatestnull318041611.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\loudplay\shell\Open\command	loudplaylatestnull318041611.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\loudplay	Loudplay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\loudplay\ = "URL:loudplay"	Loudplay.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\loudplay\shell\open\command	Loudplay.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\loudplay\shell	Loudplay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\loudplay\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\loudplay\\Loudplay.exe\" \"%1\""	Loudplay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\loudplay	loudplaylatestnull318041611.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000_CLASSES\loudplay\shell\open	Loudplay.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\loudplay\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\loudplay\\Loudplay.exe"	loudplaylatestnull318041611.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\loudplay\shell\Open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Programs\\loudplay\\Loudplay.exe %1"	loudplaylatestnull318041611.exe

Modifies registry key 1 TTPs 7 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

2960 reg.exe
1440 reg.exe
2268 reg.exe
2100 reg.exe
2492 reg.exe
1212 reg.exe
2276 reg.exe

pid	process
2960	reg.exe
1440	reg.exe
2268	reg.exe
2100	reg.exe
2492	reg.exe
1212	reg.exe
2276	reg.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

loudplaylatestnull318041611.exeLoudplay.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	loudplaylatestnull318041611.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Loudplay.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Loudplay.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Loudplay.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Loudplay.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	loudplaylatestnull318041611.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

loudplaylatestnull318041611.exepowershell.exepowershell.exepowershell.exeLoudplay.exeLoudplay.exeLoudplay.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2388	loudplaylatestnull318041611.exe
2388	loudplaylatestnull318041611.exe
2388	loudplaylatestnull318041611.exe
2388	loudplaylatestnull318041611.exe
2460	powershell.exe
3064	powershell.exe
3064	powershell.exe
3064	powershell.exe
1632	powershell.exe
2396	Loudplay.exe
2396	Loudplay.exe
2600	Loudplay.exe
1804	Loudplay.exe
2396	Loudplay.exe
2396	Loudplay.exe
2396	Loudplay.exe
2396	Loudplay.exe
2396	Loudplay.exe
2396	Loudplay.exe
2396	Loudplay.exe
2396	Loudplay.exe
2396	Loudplay.exe
2396	Loudplay.exe
2396	Loudplay.exe
2396	Loudplay.exe
2396	Loudplay.exe
2396	Loudplay.exe
2396	Loudplay.exe
2396	Loudplay.exe
1804	Loudplay.exe
1804	Loudplay.exe
1804	Loudplay.exe
1804	Loudplay.exe
1804	Loudplay.exe
1804	Loudplay.exe
1804	Loudplay.exe
1804	Loudplay.exe
2444	powershell.exe
2188	powershell.exe
2976	powershell.exe
1744	powershell.exe
2840	powershell.exe
2032	powershell.exe
2756	powershell.exe
1304	powershell.exe
3032	powershell.exe
1364	powershell.exe
3204	powershell.exe
2396	Loudplay.exe
2396	Loudplay.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

loudplaylatestnull318041611.exepowershell.exepowershell.exepowershell.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeSecurityPrivilege	2388	loudplaylatestnull318041611.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeIncreaseQuotaPrivilege	2808	WMIC.exe
Token: SeSecurityPrivilege	2808	WMIC.exe
Token: SeTakeOwnershipPrivilege	2808	WMIC.exe
Token: SeLoadDriverPrivilege	2808	WMIC.exe
Token: SeSystemProfilePrivilege	2808	WMIC.exe
Token: SeSystemtimePrivilege	2808	WMIC.exe
Token: SeProfSingleProcessPrivilege	2808	WMIC.exe
Token: SeIncBasePriorityPrivilege	2808	WMIC.exe
Token: SeCreatePagefilePrivilege	2808	WMIC.exe
Token: SeBackupPrivilege	2808	WMIC.exe
Token: SeRestorePrivilege	2808	WMIC.exe
Token: SeShutdownPrivilege	2808	WMIC.exe
Token: SeDebugPrivilege	2808	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2808	WMIC.exe
Token: SeRemoteShutdownPrivilege	2808	WMIC.exe
Token: SeUndockPrivilege	2808	WMIC.exe
Token: SeManageVolumePrivilege	2808	WMIC.exe
Token: 33	2808	WMIC.exe
Token: 34	2808	WMIC.exe
Token: 35	2808	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2808	WMIC.exe
Token: SeSecurityPrivilege	2808	WMIC.exe
Token: SeTakeOwnershipPrivilege	2808	WMIC.exe
Token: SeLoadDriverPrivilege	2808	WMIC.exe
Token: SeSystemProfilePrivilege	2808	WMIC.exe
Token: SeSystemtimePrivilege	2808	WMIC.exe
Token: SeProfSingleProcessPrivilege	2808	WMIC.exe
Token: SeIncBasePriorityPrivilege	2808	WMIC.exe
Token: SeCreatePagefilePrivilege	2808	WMIC.exe
Token: SeBackupPrivilege	2808	WMIC.exe
Token: SeRestorePrivilege	2808	WMIC.exe
Token: SeShutdownPrivilege	2808	WMIC.exe
Token: SeDebugPrivilege	2808	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2808	WMIC.exe
Token: SeRemoteShutdownPrivilege	2808	WMIC.exe
Token: SeUndockPrivilege	2808	WMIC.exe
Token: SeManageVolumePrivilege	2808	WMIC.exe
Token: 33	2808	WMIC.exe
Token: 34	2808	WMIC.exe
Token: 35	2808	WMIC.exe
Token: SeIncreaseQuotaPrivilege	340	WMIC.exe
Token: SeSecurityPrivilege	340	WMIC.exe
Token: SeTakeOwnershipPrivilege	340	WMIC.exe
Token: SeLoadDriverPrivilege	340	WMIC.exe
Token: SeSystemProfilePrivilege	340	WMIC.exe
Token: SeSystemtimePrivilege	340	WMIC.exe
Token: SeProfSingleProcessPrivilege	340	WMIC.exe
Token: SeIncBasePriorityPrivilege	340	WMIC.exe
Token: SeCreatePagefilePrivilege	340	WMIC.exe
Token: SeBackupPrivilege	340	WMIC.exe
Token: SeRestorePrivilege	340	WMIC.exe
Token: SeShutdownPrivilege	340	WMIC.exe
Token: SeDebugPrivilege	340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	340	WMIC.exe
Token: SeRemoteShutdownPrivilege	340	WMIC.exe
Token: SeUndockPrivilege	340	WMIC.exe
Token: SeManageVolumePrivilege	340	WMIC.exe
Token: 33	340	WMIC.exe
Token: 34	340	WMIC.exe
Token: 35	340	WMIC.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Loudplay.exe

pid process

2396 Loudplay.exe
2396 Loudplay.exe
2396 Loudplay.exe
2396 Loudplay.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Loudplay.exe

pid process

2396 Loudplay.exe
2396 Loudplay.exe
2396 Loudplay.exe

pid	process
2396	Loudplay.exe
2396	Loudplay.exe
2396	Loudplay.exe
2396	Loudplay.exe

pid	process
2396	Loudplay.exe
2396	Loudplay.exe
2396	Loudplay.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

loudplaylatestnull318041611.exepowershell.exeLoudplay.exe

description	pid	process	target process
PID 2388 wrote to memory of 924	2388	loudplaylatestnull318041611.exe	findstr.exe
PID 2388 wrote to memory of 924	2388	loudplaylatestnull318041611.exe	findstr.exe
PID 2388 wrote to memory of 924	2388	loudplaylatestnull318041611.exe	findstr.exe
PID 2388 wrote to memory of 924	2388	loudplaylatestnull318041611.exe	findstr.exe
PID 2388 wrote to memory of 2460	2388	loudplaylatestnull318041611.exe	powershell.exe
PID 2388 wrote to memory of 2460	2388	loudplaylatestnull318041611.exe	powershell.exe
PID 2388 wrote to memory of 2460	2388	loudplaylatestnull318041611.exe	powershell.exe
PID 2388 wrote to memory of 2460	2388	loudplaylatestnull318041611.exe	powershell.exe
PID 2388 wrote to memory of 3064	2388	loudplaylatestnull318041611.exe	powershell.exe
PID 2388 wrote to memory of 3064	2388	loudplaylatestnull318041611.exe	powershell.exe
PID 2388 wrote to memory of 3064	2388	loudplaylatestnull318041611.exe	powershell.exe
PID 2388 wrote to memory of 3064	2388	loudplaylatestnull318041611.exe	powershell.exe
PID 3064 wrote to memory of 1632	3064	powershell.exe	powershell.exe
PID 3064 wrote to memory of 1632	3064	powershell.exe	powershell.exe
PID 3064 wrote to memory of 1632	3064	powershell.exe	powershell.exe
PID 3064 wrote to memory of 1632	3064	powershell.exe	powershell.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2860	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2600	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2600	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2600	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 2600	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 1804	2396	Loudplay.exe	Loudplay.exe
PID 2396 wrote to memory of 1804	2396	Loudplay.exe	Loudplay.exe

C:\Users\Admin\AppData\Local\Temp\loudplaylatestnull318041611.exe
"C:\Users\Admin\AppData\Local\Temp\loudplaylatestnull318041611.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\findstr.exe
findstr exe-file "C:\Users\Admin\AppData\Local\Temp\latest.x86.yml"
2⤵
- System Location Discovery: System Language Discovery
PID:924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "Set-ExecutionPolicy Bypass -Scope CurrentUser -Force"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "Start-Process powershell -Wait -WindowStyle Hidden -Verb RunAs -ArgumentList 'C:\Users\Admin\AppData\Local\Temp\loudplay_firewall_rules.ps1'"
2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Users\Admin\AppData\Local\Temp\loudplay_firewall_rules.ps1
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe
"C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2396

C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe
"C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe" --type=gpu-process --field-trial-handle=1992,9244071716525304009,6620930704412899247,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2000 /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860

C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe
"C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,9244071716525304009,6620930704412899247,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --ignore-certificate-errors --ignore-certificate-errors --mojo-platform-channel-handle=2296 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2600

C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe
"C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe" --type=renderer --field-trial-handle=1992,9244071716525304009,6620930704412899247,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --disable-gpu-compositing --lang=en-US --app-path="C:\Users\Admin\AppData\Local\Programs\loudplay\resources\app.asar" --node-integration --node-integration-in-worker --no-sandbox --no-zygote --enable-remote-module --background-color=#000 --enable-spellcheck --enable-websql --disable-electron-site-instance-overrides --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2428 /prefetch:1
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "chcp"
2⤵
PID:2088

C:\Windows\SysWOW64\chcp.com
chcp
3⤵
PID:2628

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay
2⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2492

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay
2⤵
- Modifies registry key
PID:2276

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay
2⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1212

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe QUERY HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay
2⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2960

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe\" --hidden" /f
2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2100

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe\" --hidden" /f
2⤵
- Adds Run key to start application
- Modifies registry key
PID:2268

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Loudplay /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe\" --hidden" /f
2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1440

C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe
"C:\Users\Admin\AppData\Local\Programs\loudplay\Loudplay.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1992,9244071716525304009,6620930704412899247,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=audio --ignore-certificate-errors --ignore-certificate-errors --mojo-platform-channel-handle=2472 /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "netstat -r"
2⤵
- System Location Discovery: System Language Discovery
PID:2616

C:\Windows\SysWOW64\NETSTAT.EXE
netstat -r
3⤵
- Gathers network information
PID:1988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\system32\route.exe" print
4⤵
- System Location Discovery: System Language Discovery
PID:1484

C:\Windows\SysWOW64\ROUTE.EXE
C:\Windows\system32\route.exe print
5⤵
PID:2128

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe nic get /value"
2⤵
- System Location Discovery: System Language Discovery
PID:1444

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe nic get /value
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe nicconfig get dhcpEnabled /value"
2⤵
- System Location Discovery: System Language Discovery
PID:1048

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe nicconfig get dhcpEnabled /value
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "netsh lan show profiles"
2⤵
- System Location Discovery: System Language Discovery
PID:1860

C:\Windows\SysWOW64\netsh.exe
netsh lan show profiles
3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "ipconfig /all"
2⤵
- System Location Discovery: System Language Discovery
PID:284

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
3⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:1876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "echo %COMPUTERNAME%.%USERDNSDOMAIN%"
2⤵
PID:2424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "%windir%\sysnative\cmd.exe /c %windir%\System32\reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid"
2⤵
PID:2956

C:\Windows\system32\cmd.exe
C:\Windows\sysnative\cmd.exe /c C:\Windows\System32\reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid
3⤵
PID:1212

C:\Windows\System32\reg.exe
C:\Windows\System32\reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography" /v MachineGuid
4⤵
PID:2540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "openssl version"
2⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "npm -v"
2⤵
PID:2968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "pm2.cmd -v"
2⤵
PID:2960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "yarn --version"
2⤵
PID:2972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "gulp.cmd --version"
2⤵
PID:2276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "tsc.cmd --version"
2⤵
PID:464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "grunt.cmd --version"
2⤵
- System Location Discovery: System Language Discovery
PID:1296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "git --version"
2⤵
- System Location Discovery: System Language Discovery
PID:2988

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "apachectl -v 2>&1"
2⤵
PID:2936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "nginx -v 2>&1"
2⤵
PID:1784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "mysql -V"
2⤵
- System Location Discovery: System Language Discovery
PID:1764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "php -v"
2⤵
- System Location Discovery: System Language Discovery
PID:2464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "redis-server --version"
2⤵
- System Location Discovery: System Language Discovery
PID:2208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "docker --version"
2⤵
PID:1316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "postconf -d | grep mail_version"
2⤵
PID:1004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "mongod --version"
2⤵
PID:3052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "perl -v"
2⤵
PID:2928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "python -V 2>&1"
2⤵
PID:2672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "python3 -V 2>&1"
2⤵
PID:1332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "pip -V 2>&1"
2⤵
PID:2380

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "pip3 -V 2>&1"
2⤵
- System Location Discovery: System Language Discovery
PID:1696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "java -version 2>&1"
2⤵
PID:836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "gcc -dumpversion"
2⤵
- System Location Discovery: System Language Discovery
PID:2436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c ""undefined\VBoxManage.exe" -v 2>&1"
2⤵
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "bash --version"
2⤵
PID:3064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "zsh --version"
2⤵
PID:2700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "fish --version"
2⤵
PID:2116

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "reg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet"
2⤵
- System Location Discovery: System Language Discovery
PID:2724

C:\Windows\SysWOW64\reg.exe
reg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet
3⤵
- Checks processor information in registry
PID:1944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe nic get /value"
2⤵
PID:2760

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe nic get /value
3⤵
- System Location Discovery: System Language Discovery
PID:1600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe nicconfig get dhcpEnabled /value"
2⤵
- System Location Discovery: System Language Discovery
PID:2812

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe nicconfig get dhcpEnabled /value
3⤵
PID:2088

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "netsh lan show profiles"
2⤵
PID:2292

C:\Windows\SysWOW64\netsh.exe
netsh lan show profiles
3⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "ipconfig /all"
2⤵
PID:2268

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
3⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:1256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "WHERE smartctl 2>nul"
2⤵
PID:1932

C:\Windows\SysWOW64\where.exe
WHERE smartctl
3⤵
- System Location Discovery: System Language Discovery
PID:1440

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe csproduct get /value"
2⤵
- System Location Discovery: System Language Discovery
PID:304

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
- System Location Discovery: System Language Discovery
PID:2672

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe csproduct get /value
3⤵
PID:3404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe bios get /value"
2⤵
- System Location Discovery: System Language Discovery
PID:2060

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
- System Location Discovery: System Language Discovery
PID:2020

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe bios get /value
3⤵
- System Location Discovery: System Language Discovery
PID:1876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe baseboard get /value"
2⤵
- System Location Discovery: System Language Discovery
PID:1108

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
PID:2512

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe baseboard get /value
3⤵
PID:1892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe memphysical get MaxCapacity, MemoryDevices /value"
2⤵
- System Location Discovery: System Language Discovery
PID:3012

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
PID:2208

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe memphysical get MaxCapacity, MemoryDevices /value
3⤵
- System Location Discovery: System Language Discovery
PID:3348

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe path Win32_SystemEnclosure get /value"
2⤵
PID:704

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
- System Location Discovery: System Language Discovery
PID:700

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe path Win32_SystemEnclosure get /value
3⤵
- System Location Discovery: System Language Discovery
PID:1136

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe os get /value"
2⤵
PID:1816

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
PID:964

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe os get /value
3⤵
PID:2300

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2976

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1744

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe service get /value"
2⤵
- System Location Discovery: System Language Discovery
PID:1664

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
PID:1944

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe service get /value
3⤵
PID:3412

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2444

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe path win32_VideoController get /value"
2⤵
- System Location Discovery: System Language Discovery
PID:1896

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
- System Location Discovery: System Language Discovery
PID:1316

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe path win32_VideoController get /value
3⤵
- System Location Discovery: System Language Discovery
PID:3340

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe path win32_desktopmonitor get /value"
2⤵
- System Location Discovery: System Language Discovery
PID:2664

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
PID:1440

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe path win32_desktopmonitor get /value
3⤵
PID:2388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2188

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe memorychip get /value"
2⤵
PID:2808

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
PID:920

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe memorychip get /value
3⤵
- System Location Discovery: System Language Discovery
PID:3388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe diskdrive get /value"
2⤵
PID:1480

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
- System Location Discovery: System Language Discovery
PID:2072

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe diskdrive get /value
3⤵
PID:1732

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "reg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet"
2⤵
PID:1536

C:\Windows\SysWOW64\reg.exe
reg query "HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0" /v FeatureSet
3⤵
- Checks processor information in registry
PID:1952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "gcc --version"
2⤵
- System Location Discovery: System Language Discovery
PID:2796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe csproduct get /value"
2⤵
PID:1608

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
PID:2200

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe csproduct get /value
3⤵
- System Location Discovery: System Language Discovery
PID:3396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe cpu get /value"
2⤵
PID:2380

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
PID:3184

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe cpu get /value
3⤵
PID:3332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe path Win32_CacheMemory get CacheType,InstalledSize,Purpose"
2⤵
- System Location Discovery: System Language Discovery
PID:2888

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
- System Location Discovery: System Language Discovery
PID:3356

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe path Win32_CacheMemory get CacheType,InstalledSize,Purpose
3⤵
PID:3368

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoLogo -InputFormat Text -NoExit -ExecutionPolicy Unrestricted -Command -
2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "findstr /C:"Detected boot environment" "%windir%\Panther\setupact.log""
2⤵
- System Location Discovery: System Language Discovery
PID:3848

C:\Windows\SysWOW64\findstr.exe
findstr /C:"Detected boot environment" "C:\Windows\Panther\setupact.log"
3⤵
- System Location Discovery: System Language Discovery
PID:3900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe /namespace:\\root\wmi path MS_SystemInformation get /value"
2⤵
- System Location Discovery: System Language Discovery
PID:3916

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
PID:3980

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe /namespace:\\root\wmi path MS_SystemInformation get /value
3⤵
- System Location Discovery: System Language Discovery
PID:3996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe bios get Version, SerialNumber, SMBIOSBIOSVersion"
2⤵
PID:4088

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
PID:2900

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe bios get Version, SerialNumber, SMBIOSBIOSVersion
3⤵
PID:3112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\chcp.com 65001 | C:\Windows\system32\wbem\wmic.exe pagefile get AllocatedBaseSize, CurrentUsage"
2⤵
- System Location Discovery: System Language Discovery
PID:3132

C:\Windows\SysWOW64\chcp.com
C:\Windows\system32\chcp.com 65001
3⤵
- System Location Discovery: System Language Discovery
PID:3028

C:\Windows\SysWOW64\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic.exe pagefile get AllocatedBaseSize, CurrentUsage
3⤵
- System Location Discovery: System Language Discovery
PID:2660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1227945505-2081864774680986497900578450-15791643931949524019-1271651639-232269217"
1⤵
PID:1600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-736500414-1814334972104865022-353066822-4029582301138636458864142787-287632436"
1⤵
PID:1256

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "4009051531159138461-1695543830-15772788901412906159-1533404332-10864162-138612659"
1⤵
PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
d2995f99481ea8b5cca4da6e1dfed249

SHA1
9113b673cc53d6a4c123238acc108d8f3c63b7a6

SHA256
c1ed6671478cd4f5048cf03a39d6f9f6f9888aea3fbdc1b032775740771e768e

SHA512
422d922cbb73915180646a0b7afd11217847af3d3ee8f94399db9c4dc173163447cb7904397ac3d70fd5f6cdd07039925bdad4c063ba92aaf7a5103cd78e0995

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1af1a6f4d6e58c0a6328bd373645c9d7

SHA1
6580d91d60b6efb03f7819562a17cfe6bada7902

SHA256
6386348cf287325f2c90498c5c1bc67a964b3e6274c308564b65283b1d3776ee

SHA512
a2a0d4bc44900828db7ff99922aaf1a797e5ac0d46c53d4c0188c6454b637eb47c32125ea2c87ebe075a107ad39649ae146a0fe6f319d89a91c7c8efce3d4056

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
842364b4122fb9b131ea7c9b6bac4b90

SHA1
ca0db8340386bd7c01bb23eef7306e976e825c3d

SHA256
1c0be1066ab45f9a4e9a3339f2926bb263f1c34ad7965e235729024838f8e842

SHA512
3d25a78183a0c5e0ab5f602af04fc7b94e52480288597d46d227c9a77786ad38d607c4a95e4a1193a8e7ce354931e5109cbe36b02f9041e5f7b8caf489427548

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cce945ba216d41998af749531b6a8138

SHA1
123f91a507660545118ee270aacb705e644ea47b

SHA256
5fa563f6add1dc5040cab6259d2e61dbde628cef11e3bab8079c5a3d84833fe4

SHA512
ca1e5f34e8792701ef3eab984c15638974f5d104356e0901af58e9a20d5570d0c35f429ba827bb36bf3cd9555b782ffbb758c891a59ddd40a7a113f0f5cfe02f

Download Submit
C:\Users\Admin\AppData\Local\Programs\loudplay\D3DCompiler_47.dll

Filesize
3.5MB

MD5
2f2e363c9a9baa0a9626db374cc4e8a4

SHA1
17f405e81e5fce4c5a02ca049f7bd48b31674c8f

SHA256
2630f4188bd2ea5451ca61d83869bf7068a4f0440401c949a9feb9fb476e15df

SHA512
e668a5d1f5e6f821ebfa0913e201f0dfd8da2f96605701f8db18d14ea4fdeac73aeb9b4fe1f22eaeffcdd1c0f73a6701763727d5b09775666f82b678404e4924

Download Submit
C:\Users\Admin\AppData\Local\Programs\loudplay\chrome_100_percent.pak

Filesize
121KB

MD5
06baf0ad34e0231bd76651203dba8326

SHA1
a5f99ecdcc06dec9d7f9ce0a8c66e46969117391

SHA256
5ae14147992a92548bcad76867dd88cdfcdb69d951c8720920cce6fb135e3189

SHA512
aff6616e56781ebb925a0ca146245ad3b2827250b32261c0c7c0d5b10b20a343a17fc3761c95d93104163e77b2eae3f1f9cbd3cb2b377f49b42bea39bdd09b91

Download Submit
C:\Users\Admin\AppData\Local\Programs\loudplay\chrome_200_percent.pak

Filesize
181KB

MD5
57c27201e7cd33471da7ec205fe9973c

SHA1
a8e7bce09c4cbdae2797611b2be8aeb5491036f9

SHA256
dd8146b2ee289e4d54a4a0f1fd3b2f61b979c6a2baaba96a406d96c3f4fdb33b

SHA512
57258aa169bec66abf0f45a3e026bb68751fb970b74bd0cb465607fa3b2a89967e832d92d8f675f0449bb6662fcb7786d05f0597124cc8e18bb99a47245779b4

Download Submit
C:\Users\Admin\AppData\Local\Programs\loudplay\icudtl.dat

Filesize
10.0MB

MD5
ad2988770b8cb3281a28783ad833a201

SHA1
94b7586ee187d9b58405485f4c551b55615f11b5

SHA256
df876c7af43ed93eec6aea4d2d55c805009c219653cdeb368f1d048f4922b108

SHA512
f27e542a9c6c60fa28c5b7cc2818079341ef93aef3bbcadecad2dc11aff5b1592b19c7ebfa543ea42a3cbfec26a668641b255545fb0912056e25e852c2dedd01

Download Submit
C:\Users\Admin\AppData\Local\Programs\loudplay\locales\en-US.pak

Filesize
83KB

MD5
bd8f7b719110342b7cefb16ddd05ec55

SHA1
82a79aeaa1dd4b1464b67053ba1766a4498c13e7

SHA256
d1d3f892be16329c79f9a8ee8c5fa1c9fb46d17edfeb56a3d9407f9d7587a0de

SHA512
7cd1493e59e87c70927e66769eb200f79a57e1eb1223af4eb4064088571893d3e32cbc4b5ece568fd308992aad65684aa280dc9834f2b5d327bdee514b046e5e

Download Submit
C:\Users\Admin\AppData\Local\Programs\loudplay\resources.pak

Filesize
4.8MB

MD5
d13873f6fb051266deb3599b14535806

SHA1
143782c0ce5a5773ae0aae7a22377c8a6d18a5b2

SHA256
7b953443e3cd54a0a4775528b52fbfe5ebecbc2c71731600ed0999d227969506

SHA512
1ab38fcb70d1958c74da2493459532b52a04b884009509a1ac8dd39f6e9e670658a52f4d19ef57f1bc71dccfdd6ceedbc18034bbcad0b500d75a97c74aac6939

Download Submit
C:\Users\Admin\AppData\Local\Programs\loudplay\v8_context_snapshot.bin

Filesize
167KB

MD5
2c28ffbe331f4a32c7799bcb941dcca1

SHA1
d572497341ac1e8079531616f0bef7611dd12243

SHA256
96d85880d161bd37a28ad13777337e5121189a6ac45b9232c74e052d6d1e27f2

SHA512
f18ca45dbd04499bb3ea74cb59414ae4bf497be0cedd96d9f3693591198a1afeaf48ae4e7c7a0c31e31c1a128a34c990f2837fb576e0ffb288edc860b27563ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDE7D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDE8F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\latest.x86.yml

Filesize
243B

MD5
2ae555faff123f9cf21a5ed6d3e9fc6a

SHA1
435c264a68fc678c52c2b2affda1348f764f8c5e

SHA256
aa91d174a8fc92a5ac6ba0c4d42b5c885337f52d8a4982e3c262c0db015f9711

SHA512
22e44b9008cfe84727305fa6e5a0c782c5688d342c47bef22169a6eb331b208285a318093e7d65094280613cd37da22f4bca500916b0dcfa3e20d0b65ed4ca3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\loudplay_firewall_rules.ps1

Filesize
351B

MD5
6aa91f00a13fab945c252a692647b133

SHA1
19199e35c8480b650d78e83a3004caf412743e4b

SHA256
92c5edea86640aff77fd145ad836fc0044fae718d380538dbf09b9495e74e942

SHA512
cc7fafb169c5b5e17ca5da5585aa5ba0266a0987bc2d38dda2953f083e26a40f9385e41240f671c7579a21f500a20e59e0a606b9656ba245f9e1e7a19e9c844e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB2FB.tmp\StdUtils.dll

Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB2FB.tmp\nsProcess.dll

Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
3e95b8024694599060a15a80fdd1f2b2

SHA1
248894946e0ebfda639847a9bcf3d1ece43add1d

SHA256
07a9bd7782de8df691d96e79b33a8e58bc54b764c847d2f6ab6c802043c67992

SHA512
78e66a28ab0bd01c2a07c413e49acd2e996c33a0780da23ea5d4543c026ad1b781871cc9c9d5e9933708d3b4ed21ad00f840e47fae6b6068ead55ab0a53c4e3b

Download Submit
C:\Users\Admin\AppData\Roaming\loudplay\9b88279a-0649-4574-98a6-e5a87d1b1b08.tmp

Filesize
57B

MD5
58127c59cb9e1da127904c341d15372b

SHA1
62445484661d8036ce9788baeaba31d204e9a5fc

SHA256
be4b8924ab38e8acf350e6e3b9f1f63a1a94952d8002759acd6946c4d5d0b5de

SHA512
8d1815b277a93ad590ff79b6f52c576cf920c38c4353c24193f707d66884c942f39ff3989530055d2fade540ade243b41b6eb03cd0cc361c3b5d514cca28b50a

Download Submit
C:\Users\Admin\AppData\Roaming\loudplay\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\loudplay\en-US-9-0.bdic

Filesize
441KB

MD5
a78ad14e77147e7de3647e61964c0335

SHA1
cecc3dd41f4cea0192b24300c71e1911bd4fce45

SHA256
0d6803758ff8f87081fafd62e90f0950dfb2dd7991e9607fe76a8f92d0e893fa

SHA512
dde24d5ad50d68fc91e9e325d31e66ef8f624b6bb3a07d14ffed1104d3ab5f4ef1d7969a5cde0dfbb19cb31c506f7de97af67c2f244f7e7e8e10648ea8321101

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Programs\loudplay\ffmpeg.dll

Filesize
2.5MB

MD5
594100c352317c2027cbccb5b8c0e54e

SHA1
17d1df60cd4e7aedd3801c4e55be1d7afaf13487

SHA256
1b2fbefaf3f4c503621374b191aee676a6457e4dd12931e020ce8d6700692b78

SHA512
a21248c9b7862aa3ff09ca5a7db3cbf45fc255d60c214b5018e0968027e5f4e2cd1baacda210f673238eefbf1fa4d3bdfa3d9ffc25073c7195cbe2a0bccfb492

Download Submit
\Users\Admin\AppData\Local\Programs\loudplay\swiftshader\libEGL.dll

Filesize
379KB

MD5
d4cf83f1825f90d8874064f320869a9f

SHA1
af77ddbea239a75793e02faf664ab8d2f76b30e0

SHA256
381becc89734be051b4acf30b3bb29fe07895b6f148b4e9cbcdca167cdb6d071

SHA512
d90cb37b01199c800016c55e0879b8049876fafbf3148a73fd18af8a63092b1e8c6439643789e2ca5a56ca55893844b3e301ab5c35bfe5ea31bbdbda727bede9

Download Submit
\Users\Admin\AppData\Local\Programs\loudplay\swiftshader\libGLESv2.dll

Filesize
2.7MB

MD5
f82e1f3e89414d5b632c15e747f17087

SHA1
0d66035f1cb4526be2493915c55b005c20b88c8a

SHA256
7c81336f390c55a5b04841e835051ca2701bf7ab3e6316d73c968e30bfcd4be7

SHA512
d4826e2636e26bb1335406c4823a03465f2469de2951b5c5837290687f1796c6457c06036a18e1ce935b3aa80d8e909e19b3ddac60bb7e93dbd7770fe42a3cf8

Download Submit
\Users\Admin\AppData\Local\Temp\6c496f8d-9475-4436-b42a-16b014f578b8.tmp.node

Filesize
1.2MB

MD5
c71f33dabbd487ddafc767470395f346

SHA1
f9954b8c6d9ee39758316b170fcd925632fa886f

SHA256
3ee841cf169376d85484520c908b51cbd01fba2623409efb348242dfe32ded3f

SHA512
0307db845d059b5b72701c55db9b2632d9882de4749735cddd9100076b513df3fd2ec49d5ee7f5a0e3dafb39d772d6f5f05b8727df624ab514c212352031b6fb

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB2FB.tmp\INetC.dll

Filesize
238KB

MD5
38caa11a462b16538e0a3daeb2fc0eaf

SHA1
c22a190b83f4b6dc0d6a44b98eac1a89a78de55c

SHA256
ed04a4823f221e9197b8f3c3da1d6859ff5b176185bde2f1c923a442516c810a

SHA512
777135e05e908ac26bfce0a9c425b57f7132c1cdb0969bbb6ef625748c868860602bacc633c61cab36d0375b94b6bcfbd8bd8c7fa781495ef7332e362f8d44d1

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB2FB.tmp\SpiderBanner.dll

Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB2FB.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB2FB.tmp\WinShell.dll

Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB2FB.tmp\nsExec.dll

Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB2FB.tmp\nsis7z.dll

Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
memory/2388-251-0x0000000004220000-0x0000000004222000-memory.dmp

Filesize
8KB

Download
memory/2860-263-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download